Panda Security Suffers the Wrath of AntiSec

When I woke up Tuesday and was told that the FBI had arrested Sabu and five other cheerleaders of the "LulzSec" movement, I knew my day would be blown to hell even though antivirus is meaningless in my current reality.

From every corner of the media, chirping voices and cheery written prose announced the end of "Anonymous" at the hands of the FBI, along with the news that the great Sabu had turned out to be the informant that had finally sunk the Lulzboat. And the town rejoiced. Animated Disney bluebirds sang out the news. Yay.

Those of us who are veterans of the world of antimalware and skiddies on the rampage however, knew better.

While the FBI may have "taken off the head of the snake," those of us who have grappled snakes knew full well that the body would begin twitching out of control and trying desperately to wrap around anything reachable nearby.

And so "the great sh*tstorm of our time" began. Along with all the wriggling and hissing of "snake sex." First up for mayhem in the revenge of the Lulzers was Spanish antivirus company Panda.

Now defacements have become a familiar and frequent part of the sideshow that the Lulzers delight in pasting up, and ordinarily these are no big deal. Most defaced sites are taken down before many people get to see the digital graffiti.

Not so with the numerous Panda sites this time. In fact, as I write this article, the sites incredibly remain defaced some seven plus hours after the attack. It truly makes me wonder who's driving the bus over there. Have they not noticed as word gets around as to what happened there?

Even worse is the content OF the defacement. It's not just the LulzXmas video and the usual commentary that accompanies defacements, the defacement also contains tremendous amounts of extremely sensitive corporate information including internal accounts, passwords, server and cloud infrastructure configurations as well as the most frightening piece of all, direct access information to the antivirus lab's Teamviewer access as well as alternate means of accessing their internals via "logmein."

It is the latter which I consider the most serious breach left for all to see on Panda's sites.

As I've said many times before, I've worked in antivirus and most companies have labs all around the world where analysts in various remote locations access the master definitions database with each malware they analyze.

Once they've reversed and come up with a definition, they connect to that central database containing signatures and add the new signature(s) which are then distributed to their products as part of their frequent updates.

In the defacement, Antisec attackers clearly state that "WE HAVE BACKDOORED" Panda's antivirus. They then provided the keys to Teamviewer clearly published in their defacements in Spanish:

Estas son las IDs de TeamViewer, como siempre contraseña panda

(specifics expunged here)

This is particularly troubling because anyone who recalls the various misadventures when an antivirus distributed a false positive in their database which completely hosed systems from time to time by deleting key operating system files accidentally must be acutely aware of the significant damage that can be caused if spurious entries are placed into an antivirus detection database specifically targeting legitimate system files.

An even bigger risk is the potential removal of existing definitions for malware which would allow such to pass completely undetected owing to a lack of a definition since antivirus definitions consist of blacklisted files or definitions of behaviors for "heuristic" detection. If those are removed, it becomes easy to plant malware or exploits completely undetected.

Given what's printed on the defacement page, there appears to be no signs that AntiSec has accessed either their source code or their executable program files, but the claim that they've been in Panda's system for an unknown amount of time is disturbing given that they've apparently provided access information and permissions not only for the labs themselves, but also apparently the cloud server for their "cloud antivirus" service as well.

It's important to note that antivirus software's executable files contain only the engine and ancillary files to establish legitimate users. The purpose of the engine is to read in data from the definitions databases which are frequently updated.

It is the database of definitions that contains what you're paying for in the actual product and the defacement indicates that Antisec may well have had access to the contents of those databases for some unknown amount of time.

Malware analysts can add to the signature database, and they can also remove or modify existing definitions as is commonly done when complaints of false positives are received. It is this signature database, along with the engine that determines the capability of any antivirus or antimalware product.

In other words, there is no need to mess with the engine itself, any damage or concealment can be accomplished solely by manipulating that database and its contents without ever having to touch the source code or the delivered executables.

Therefore, as serious as a leak of source code for the engine and ancillary files might be (in the case of the recent Symantec drama) it is the databases themselves which are the most critical component of any antivirus product and their integrity and protection is FAR more important than the source code itself.

Antivirus companies can recover from a defective database from archives, although it would mean manual re-entry of signatures made since the last known good update. But the problem here is AntiSec's claim to have been inside Panda's operation for an unknown period of time.

And the fact that Panda has allowed the defacement to remain online for such an incredibly long period of time raises serious issues of competence and trust given that they have a lab in China that should have spotted this after close of business in Spain and taken quick action.

They appear to have remote labs in other locations as well and nobody appears to have spotted this and taken the sites down given the incredibly sensitive and destructive information on those pages.

Given all this, I am extremely disappointed to see such a major operation fail in such a serious way. I would not trust any updates for the product or from their cloud service until they can determine for certain that they can locate a guaranteed untampered-with database along with a full explanation as to how long they've been compromised.

This breach makes the Symantec hoohah look like child's play. In Symantec's case, the only real threat was that their source code was on public display. Access to the actual databases remotely is a far more serious concern.

Now for the record, all I have to go on here is a list of accounts, server names and configuration files with "user and group write" permissions (which is all "hackers" need with any lucky account login for a member of the lab group) but it DOES appear as though the definitions database very well could have been accessed based on what I see on the defacement page and only Panda can answer the question here.

It's certainly how other antivirus companies do business and this is indeed what the industry's typical infrastructure looks like with the remote access. The prime defacement was their lab site although their other sites were also defaced.

I could be wrong here, please keep that in mind.

However, it sure does appear as though AntiSec's claims to "backdoor" are quite plausible. If it's actually true, put a fork in Panda ... I've known and always admired Luis since back in my BOClean days, and this is truly a sad turn of events.

Update: at 0250 hours, US Eastern time, the Panda sites finally became unreachable.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.